Honeywell Experion Process Knowledge System and Application Control Environment Controller Vulnerability
By Frank Wood on October 8, 2021
(By: Frank Wood on October 7, 2021)
Executive Summary
Honeywell products are widely adopted globally in various applications within the energy and manufacturing industries. More specifically, its Experion process knowledge system (PKS) and application control environment (ACE) are used within supervisory control and data acquisition (SCADA) systems at power-producing facilities. These distributed control systems (DCS) are complex systems designed to control extensive industrial processes, comprising multiple controllers, I/O devices, and human-machine interfaces (HMIs) [3].
In February, Honeywell announced a discovered vulnerability that affects PKS customers using C200, C200E, C300, and ACE controllers [3]. The announcement states, “a Control Component Library (CCL) may be modified by a bad actor and loaded to a controller such that malicious code is executed by the controller” [3].
On October 5, 2021, Claroty Team82 (a Cybersecurity research team) announced the technical details of how the controllers could be exploited. They explained that the CCL format is a “wrapper for [Dynamic Link Library] DLL/ [Executable and Linkable File] ELF files” [2]. Once the Control Builder software parses a CCL, “there are no security validations such as signature checking or sanitization of the library names” [2]. Allowing a cyber actor to perform a “directory traversal attack and upload any DLL/ELF files they wish to arbitrary locations on the remote controller” [2]. Another discovery that the research team found was that CCLs sent to some endpoints did not verify any signatures and executed the code immediately. Upon determining the proof of concept, Claroty alerted Cybersecurity and Infrastructure Security Agency (CISA). On the same day, CISA issued an industrial control system (ICS) advisory, ICSA-21-278-04 [1], alerting critical manufacturers of the vulnerabilities.
Vulnerability
CVE-2021-38397 – UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434. “The affected product is vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition” [1]. This vulnerability has a common vulnerability standard score (CVSS) of 10 [5].
CVE-2021-38395 – IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT CWE-74. “The affected product is vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition” [1]. This vulnerability has a common vulnerability standard score (CVSS) of 9.1 [5].
CVE-2021-38399 – RELATIVE PATH TRAVERSAL CWE-23. “The affected product is vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories” [1]. This vulnerability has a common vulnerability standard score (CVSS) of 7.5 [5].
Impact
The impact of these vulnerabilities has a very severe effect if exploited. SCADA systems run the majority of the world’s power and energy infrastructure. In recent years, there have been several successful cyberattacks on SCADA systems. Some of the most famous attacks are Stuxnet [7], Industroyer [6], and Trojan Triton [4]. The effects of these ranged from power outages, operational shutdowns, and the destruction of nuclear centrifuges.
Mitigation
Honeywell released the R510.2 Hotfix 10 patch for C300 controllers and planned to release R501.6 and R511.5 later [3]. However, Honeywell will not be releasing any patches for the C200, C200E, or ACE controllers [3]. For the controllers that Honeywell will not be patching, CISA recommends that these controllers have limited “network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet” [2]. They should also “locate control system networks and remote devices behind firewalls and isolate them from the business network” [1]. “When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices” [1].
References
[1] CISA. (October 5, 2021). “ICS Advisory (ICSA-21-278-04): Honeywell Experion PKS and ACE Controllers.” us-cert.cisa.gov. Accessed October 7, 2021. https://us-cert.cisa.gov/ics/advisories/icsa-21-278-04.
[2] Henigman, R. & Erez, N. (October 5, 2021). “Target DCS: Finding, Fixing Critical Bugs in Honeywell Experion PKS.” Claroty.com. Accessed October 7, 2021. https://www.claroty.com/2021/10/05/blog-research-target-dcs-finding-fixing-critical-bugs-in-honeywell-experion-pks/.
[3] Honeywell. (February 22, 2021). “Security Notification SN 2021-02-22 01.” HoneywellProcess.com. Accessed October 7, 2021. https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf.
[4] Johnson, B. (December 14, 2017). “Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure.” Mandiant.com. Accessed on September 8, 2021. https://www.mandiant.com/resources/attackers-deploy-new-ics-attack-framework-triton.
[5] Lakshmanan, R. (October 6, 2021). “Multiple Critical Flaws Discovered in Honeywell Experion PKS and ACE Controllers.” TheHackerNews.com. Accessed October 7, 2021. https://thehackernews.com/2021/10/multiple-critical-flaws-discovered-in.html.
[6] Osborne, C. (April 30, 2018). “Industroyer: An In-depth Look at the Culprit Behind Ukraine’s Power Grid Blackout.” ZDnet.com. Accessed October 8, 2021. https://www.zdnet.com/article/industroyer-an-in-depth-look-at-the-culprit-behind-ukraines-power-grid-blackout/.
[7] Zetter, K. (February 26, 2013). “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon.” Wired.com. Accessed October 8, 2021. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.